BizTech E-Newsletter

Is Perimeter-Based Network Security Dead?

Andrew is regular contributor to BizTech magazine. His experience includes marketing for a major IT services company and digital strategy for WashingtonExec.

The term zero trust has become one of cybersecurity’s latest buzzwords. Its specific meaning, however, can be rather convoluted; some define it as an architecture, while others see it as a suite of products or tools.

Despite the ambiguity, 47 percent of security professionals mentioned in an IDG survey that their organization is actively exploring zero-trust technologies. And while only 16 percent of organizations today have an explicit zero-trust strategy in place, according to a separate Okta survey, 97 percent are engaged in zero-trust projects.

To be clear, zero trust is broadly defined as an information security framework that tells an organization to view its own networks as innately hostile — or, as Dave Lewis told the audience at CDW’s Protect SummIT in San Antonio on Thursday, “Assume everything’s on fire.”

This mentality encourages security teams to question each and every device that’s on the business’s network, along with every action that takes place. “Don’t trust something simply because it’s inside your firewall — there’s no reason for that,” said Lewis, the global advisory CISO for Duo Security.

Still, the question remains: How can a term that’s so loosely defined have such a strong hold on security experts?

Security for the Modern World

“Most organizations still take a perimeter-based approach to security,” Teju Shyamsundar, senior product marketing manager for Okta, explained to SummIT attendees. “They consider the outside network to be nonsecure and their internal network to be the most secure.”

That model, however, no longer makes sense due to the major shift to a cloud-based and mobile-first world, Lewis said. “This shift has dissolved the traditional network perimeter.”

“The actors are no longer coming at you head-on,” he said. “They’re coming at you from every different angle they can find.”

Lewis noted that no business today is immune from attack, citing banks as a particular example. He further explained that, while traditional attack methods might typically route through a device on the bank’s networks, today’s attackers can access a bank’s infrastructure through third parties, such as its processing center.

Adopting a zero-trust model in security — and taking advantage of tools such as asset inventory, user management and network zone segmentation — can help security teams to gain visibility into every user and device on the business’s networks. As Shyamsundar put it, it ensures that the right people have the right level of access to the right resources in the right context, all of which should be continuously assessed.

“You’re always going to have different groups doing different jobs,” said Lewis, “but there’s no reason they should have access to everything.”

And for businesses hoping to get started on their zero-trust journey, Lewis assured them that most of the tools and technologies they need are likely already in place in their organization.

Get Started with Zero Trust

Lewis made it abundantly clear that zero trust is not an end goal, but rather something that businesses should aspire to. “There’s no such thing as a zero-trust certification,” he said.

Furthermore, Shyamsundar informed attendees that a zero-trust process should happen in a phased approach, starting with identifying the problems the business currently faces and how removing those can help achieve business objectives. From there, organizations should evaluate the technologies that make the most sense for them.

“There’s not really a silver-bullet vendor that does all of zero trust, so that’s why it’s important to partner with different vendors,” said Shyamsundar. Lewis echoed that opinion in his presentation.

Something else that Lewis and Shyamsundar both agree on: A zero-trust approach to security, while introducing new technologies such as multifactor authentication for employees, should have minimal impact on the end user’s workflow.

To accomplish this, security teams should get buy-in from end-user employees. Lewis explained that security professionals need to level with employees and introduce this new security model as something that’s ultimately good for them, because, “99 percent of the time, they have no idea what we’re talking about.”

“Security should be an enabler for the business to do things safely and securely,” said Lewis. “We have to make sure that we, as security professionals, are not vilifying the users, but educating them.”